Staff Member

On Tuesday, May 3 2016, ImageMagick announced a vulnerability in all versions of the ImageMagick software. ImageMagick is a software
package commonly used by web services to process images.

Impact

One of the reported vulnerabilities can potentially be exploited for remote code execution (RCE).

Releases

ImageMagick has not released a fix, but plans to publish a new version of ImageMagic with the fixes soon. cPanel normally releases all builds at once in order to limit the ability to reverse engineer fixes. However, this vulnerability is already wildly known and we have seen reports of its use. In this instance, we plan to release builds as soon as they become available.

At this time the following builds are available:
11.56 11.56.0.13
EDGE 11.55.9999.193
CURRENT 11.56.0.13
RELEASE 11.56.0.13

How to determine if your server is up to date

The updated RPMs provided by cPanel will contain a changelog entry with a CVE number. To view this changelog entry run the following command:
rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714

If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

I had already modified my own policy files prior to this. Of course, the update didn't touch the CL-included ImageMagick policy file (and I wouldn't expect it to I guess), and anyone running Cloudlinux should follow CL's instructions on their blog for thoroughness ( ImageMagick Filtering Vulnerability - CVE-2016-3714 ). CloudLinux instructs how/where to modify ALL applicable policy.xml files and actually disables more patterns than what the cPanel instructions disables).

1. is it safe to assume that since the update accessed-changed /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml, that the reason why it didn't actually modify it is because it compared the contents and found the workaround already in those files?

2. CloudLinux suggests disabling two more coders as well as modifying additional CL-specific files and running cagefsctl --force-update. See this post:

3. Redhat and ImageMagick suggest disabling more coders and adding another line.

But they appear to suggest that the "path" line addition is only something available in the latest ImageMagick versions and [I'm guessing] probably would not have any effect if policy.xml in older versions was edited further.

Staff Member

This issue continues to evolve as new information rolls in. The coders we recommend to disable are effective against the payloads discovered initially, but it would be prudent to follow RedHat's recommendations since they have diverged from the original guidance.

If you manually modified /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml it's likely the patch would have failed when you updated, and you will probably also get RPM verify failure notifications, but it will still have the desired mitigation impact.

We will provide additional information as necessary at the knowledge base article linked below:

If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ?
[Update about the ImagMagick Vulnerability]
The guys from ImageTragick have updated the exclusion list you must enter in policy.xml. Here is the latest list: